Cybersecurity


OCC

News Brief

OCC emphasizes compliance’s role in FI’s operational resiliency

2024-06-20T15:40:00+01:00By

Compliance departments at financial institutions must become more involved in ensuring their firm’s operational resiliency to address emerging risks, the Treasury Department’s Office of the Comptroller of the Currency said in its semi-annual risk perspective.

SEC office

News Brief

SEC orders R.R. Donnelley to pay $2.1M over cyber-related control violations

2024-06-20T14:45:00+01:00By

A business communications and marketing services company agreed to pay more than $2 million to settle charges levied by the Securities and Exchange Commission over cybersecurity-related control violations.

DOJ

News Brief

DOJ orders consultants to pay $11.3M total for cyber rule violations

2024-06-18T19:49:00+01:00By

Guidehouse and Nan McKay and Associates will pay a total of $11.3 million to the Department of Justice (DOJ) to settle allegations that cybersecurity failures led to the theft of client personal information during the height of the COVID-19 pandemic.

columnist dale

Opinion

Top-of-mind takeaways from TPRM Summit

2024-06-17T21:11:00+01:00By

Top-of-mind issues addressed at Compliance Week’s Third-Party Risk Management & Oversight Summit, held June 3-4 in Atlanta, included safe deployment of artificial intelligence, assessing vendor viability and sustainability, understanding the role of procurement in risk ranking, the intersection (or lack thereof) between data privacy and cybersecurity, and many others.

Intercontinental Exchange

News Brief

SEC orders Intercontinental Exchange to pay $10M over Reg SCI violations

2024-05-22T19:30:00+01:00By

Intercontinental Exchange and nine affiliates agreed to pay $10 million for allegedly failing to inform the Securities and Exchange Commission of a cyber intrusion as required by Regulation Systems Compliance and Integrity.

Cybersecurity

News Brief

​SEC official clarifies material incident reporting under new cyber rule

2024-05-22T16:35:00+01:00By

Erik Gerding, director of the Securities and Exchange Commission’s Division of Corporation Finance, issued a statement addressing early inconsistencies observed under the agency’s new cybersecurity incident disclosure rule.

Water system

News Brief

EPA warns of increased cybersecurity scrutiny toward water systems

2024-05-21T19:27:00+01:00By

The Environmental Protection Agency is increasing its inspections of public drinking water systems after finding a majority of those reviewed were vulnerable to cyberattacks and related threats.

CCPAUpdate

Premium

California privacy reg seeking more input on new rules

2024-05-20T15:11:00+01:00By

Businesses will receive additional time to weigh in on proposed regulations by the California Privacy Protection Agency regarding risk assessments, cybersecurity audits, automated decision-making, and data broker registration before they’re potentially finalized later this year.

SEC

News Brief

SEC amends Reg S-P to require data breach notification within 30 days

2024-05-16T19:10:00+01:00By

The Securities and Exchange Commission will require broker-dealers and registered investment advisers to adopt written policies and procedures for handling data breaches of customer data and notify affected customers within 30 days.

New York cyber-security

News Brief

NYDFS offers cyber rule compliance template for small businesses

2024-05-14T16:59:00+01:00By

The New York State Department of Financial Services issued guidance for small businesses attempting to comply with its cybersecurity regulations.

Cybersecurity icons

Premium

Survey: Public companies fear added cyber risks from SEC disclosures

2024-05-14T12:00:00+01:00By

Large public companies say they are prepared to comply with the disclosure requirements of the SEC’s new cybersecurity incident rule, according to a survey conducted by Compliance Week and DLA Piper, but concerns exist that those reports could enhance the threat of future cyberattacks.

Cyber-security

Premium

Report: Human error driving growing number of data breaches

2024-05-07T21:21:00+01:00By

Verizon’s annual data breach report shows trends in cybersecurity incidents, including more ransomware and extortion attacks last year.

FDIC

News Brief

Federal banking regulators issue TPRM guidance for community banks

2024-05-06T15:29:00+01:00By

The Federal Deposit Insurance Corporation, Federal Reserve Board, and Office of the Comptroller of the Currency combined to provide guidance on third-party risk management focused on the unique risks faced by community banks in their third-party relationships.

Screenshot 2024-05-06 132406

Resource

White paper: SEC doubles down on cyber risk management accountability

2024-05-05T17:30:00+01:00Provided by and

To help investors gain a better understanding of cyber risk, the US Securities and Exchange Commission (SEC) has created sweeping new rules—forcing companies to take a more proactive approach to cybersecurity.

AdobeStock_316782149

News Brief

Insight Global to pay $2.7M over lax security on contact tracing data

2024-05-02T19:03:00+01:00By

Atlanta-based staffing agency In­­­­­­sight Global agreed to pay $2.7 million to settle alleged False Claims Act violations for failing to provide adequate cybersecurity on Covid-19 contract tracing data.

Health data

News Brief

State AGs tell UnitedHealth to do more in cyberattack aftermath

2024-04-30T20:18:00+01:00By

UnitedHealth Group’s response to a major cyberattack in February that wreaked havoc with medical payments nationwide has been “inadequate” and must be improved immediately, a group of 22 state attorneys general told the company.

FTC seal

News Brief

Mobile health apps must follow FTC breach notice rule after update

2024-04-26T18:49:00+01:00By

Mobile health applications and similar technologies must notify customers following a data breach or risk violating the Federal Trade Commission’s health breach notification rule.

Avast

News Brief

Czech DPA fines Avast $15M over GDPR violations

2024-04-25T16:33:00+01:00By

The Czech Republic’s data protection authority issued a fine of 351 million Czech koruna (U.S. $15 million) against antivirus software vendor Avast for alleged violations of the General Data Protection Regulation.

UnitedHealth

News Brief

Change Healthcare cyberattack updates detail massive impact, costs

2024-04-23T21:03:00+01:00By

The massive cyberattack on Change Healthcare has potentially compromised the personal and protected health information of an untold number of Americans, according to parent company UnitedHealth Group.

Screenshot 2024-04-23 122022

Resource

White paper: Automate to Accelerate: Overcoming Staffing and Compliance Challenges in Cyber Risk Management

2024-04-22T19:00:00+01:00Provided by

Spending countless hours tracking down controls evidence for your audit and compliance activities is an annoyance at best and a major drag on productivity and effectiveness at worst.

servicenow300x200

Webcast

CPE Webcast: Doubling down on compliance: Deep dive into SEC cybersecurity regulations

2024-04-09T14:00:00+01:00Provided by

KPMG and ServiceNow experts will delve into best practices to help you not only understand the new regulations but also navigate critical regulatory challenges by highlighting how a platform like ServiceNow can help with compliance.

AT&T

News Brief

AT&T: Data leak exposed info of 73M customers onto dark web

2024-04-01T14:00:00+01:00By

AT&T said personal account data on approximately 73 million current and former customers was released on the dark web two weeks ago but has not yet identified when and where the breach occurred.

cisa_web

News Brief

CISA teases cyber incident reporting rule for critical infrastructure

2024-03-28T20:52:00+00:00By

Financial businesses and other critical infrastructure entities would have to report significant cybersecurity and ransomware incidents to the federal government under a new rule that will be proposed by the Cybersecurity and Infrastructure Security Agency.

Deutsche Bank

News Brief

Deutsche Bank dinged $54K over IT incident reporting

2024-03-20T15:44:00+00:00By

Deutsche Bank was assessed a penalty of €50,000 (U.S. $54,000) by Germany’s financial supervisory authority for its alleged miscommunication of a 2023 information technology security incident.

ABN AMRO

News Brief

Departing ABN AMRO risk chief says climate, cyber among priorities

2024-03-15T19:27:00+00:00By

Tanja Cuppen, chief risk officer of ABN AMRO, shared her view on the Dutch bank’s biggest risk focus areas and the accomplishments of her tenure a month ahead of her planned departure.

Privacy Shield

Premium

Privacy by design a silver bullet for stemming AI risks?

2024-03-15T17:41:00+00:00By

The proliferation of artificial intelligence technologies—and their reliance on publicly available data—has reinforced the need for tech developers and the companies using their solutions to ensure privacy by design and by default is at the crux of any offering.

Health data

News Brief

Change Healthcare facing HHS probe following crippling cyberattack

2024-03-14T19:45:00+00:00By

Change Healthcare, a health payment processor hit by a crippling cyberattack in February, is under investigation by the Department of Health and Human Services’ Office for Civil Rights.

OCC sign

Premium

U.S. banking regs mulling enhanced operational resiliency frameworks

2024-03-13T19:47:00+00:00By

Acting Comptroller of the Currency Michael Hsu said federal banking agencies are considering enhancements to their operational resiliency requirements for member banks.

Reserve Bank of New Zealand

News Brief

New Zealand banks to report material cyber incidents within 72 hours

2024-03-11T16:58:00+00:00By

The Reserve Bank of New Zealand added new reporting requirements for its member banks to follow if they suffer a material cyber incident and for all types of cyberattacks.

UniCredit

News Brief

​Italian DPA fines UniCredit $3M over data breach GDPR lapses

2024-03-11T15:54:00+00:00By

The Italian data protection authority announced a fine of €2.8 million (U.S. $3 million) against UniCredit for alleged violations of the General Data Protection Regulation regarding insufficient security measures the bank had in place during a cyberattack.

White House

News Brief

Biden executive order to target commercial data broker activities

2024-02-28T20:36:00+00:00By

A new executive order seeks to put clamps on the sale of Americans’ personal data by data brokers and other companies to certain countries found to be of national security concern.

AI for business

Article

CW National 2024 preview: Diana Kelley on AI implications for compliance

2024-02-26T11:30:00+00:00By

Artificial intelligence expert Diana Kelley will discuss what AI means for organizations and explore the technology’s implications for compliance and enterprise risk as part of a keynote address at Compliance Week’s National Conference in Washington, D.C.

DOJ wall

Premium

DOJ official: Expect more cybersecurity false claim enforcements

2024-02-23T14:05:00+00:00By

The announcement of a record year in several areas of False Claims Act enforcement at the Department of Justice was accompanied by a warning that more significant cases are coming, particularly regarding cybersecurity-related claims.

Cloud Computing

Premium

Toeing the ‘fine line’ of cloud security compliance

2024-02-14T22:26:00+00:00By

When organizations move their data or operations to the cloud, the compliance team has their work cut out and then some, experts discussed at CW’s Cyber Risk & Data Privacy Summit.

Health data

News Brief

Montefiore Medical Center to pay $4.8M over employee’s data theft

2024-02-07T21:51:00+00:00By

Montefiore Medical Center agreed to pay $4.75 million to settle allegations by the Department of Health and Human Services’ Office for Civil Rights that failures by the New York City nonprofit facility allowed an employee to steal and sell patient information for six months.

Google HQ

News Brief

Alphabet to pay shareholders $350M over Google+ privacy lapses

2024-02-07T18:00:00+00:00By

Alphabet, the parent company of technology giant Google, agreed to pay $350 million in a preliminary settlement with shareholders over alleged data privacy violations and materially false and misleading statements linked to now-defunct social media site Google+.

Data breach

Premium

Experts: Good data breach response grounded in preparation

2024-02-06T15:24:00+00:00By

Two chief compliance officers and an attorney discussed preparation for the “when, not if” threat of a data breach during a panel at CW’s Cyber Risk & Data Privacy Summit.

Clorox_web

News Brief

Clorox discloses $49M hit from cyberattack

2024-02-05T21:50:00+00:00By

Cleaning products company Clorox disclosed the major cybersecurity incident that led to a shutdown of its automated order processing late last year has cost it about $49 million.

Blackbaud

News Brief

Blackbaud avoids fine in FTC deal requiring data deletion

2024-02-02T19:01:00+00:00By

Software company Blackbaud will be required to delete unnecessary data and boost cybersecurity as part of a proposed settlement with the Federal Trade Commission stemming from a 2020 data breach.

Citi

News Brief

N.Y. sues Citi for lax data security, failing to reimburse fraud victims

2024-01-31T19:27:00+00:00By

Citibank faces a lawsuit from New York Attorney General Letitia James for allegedly failing to protect and reimburse customers who lost thousands of dollars in fraudulent wire transfers.

Cyber locks

Premium

Consultation opens debate on proposed U.K. cyber governance code

2024-01-30T15:54:00+00:00By

Cybercrime is regularly cited as a leading concern for executives, yet board oversight of cyber risks is often inadequate and governance poorly understood, according to the authors of a proposed U.K. code of practice on cybersecurity governance.

DOJ

Premium

New DOJ cyber section wants more private sector partnership

2024-01-24T23:23:00+00:00By

Cooperation between businesses and the new cybersecurity section at the Department of Justice has led to the successful defanging of numerous, major ransomware operations worldwide in just the few months since its creation, according to its chief.

Computer hacked

Premium

OFAC official urges company transparency on ransomware events

2024-01-19T21:59:00+00:00By

Despite its reputation as a fierce enforcer of sanctions, the Office of Foreign Assets Control has a softer side and wants to help companies that are hit with ransomware attacks, according to the agency’s senior compliance officer.

VF

News Brief

VF discloses data breach impacted 35.5M customers

2024-01-19T19:40:00+00:00By

Apparel company VF Corp., the owner of brands including The North Face, Vans, and Timberland, disclosed its estimation approximately 35.5 million customers had their personal data stolen as part of a cybersecurity incident it uncovered in December.

Robinhood

News Brief

Robinhood Financial to pay $7.5M in Mass. settlement

2024-01-18T20:54:00+00:00By

Online stock trading platform and broker-dealer Robinhood Financial agreed to pay a $7.5 million fine as part of a settlement with the Commonwealth of Massachusetts addressing claims related to “gamification” of its platform and cybersecurity issues that lent to a 2021 data breach.

Genesis_Web

News Brief

Genesis Global Trading fined $8M by NYDFS over AML, cyber lapses

2024-01-16T18:24:00+00:00By

Virtual currency brokerage firm Genesis Global Trading agreed to pay an $8 million penalty levied by the New York State Department of Financial Services for alleged compliance failures that left it vulnerable to illicit activity and cybersecurity threats.

Cybercrime

Premium

NIST report: Mitigating the risks of cyberattacks on AI systems

2024-01-11T21:11:00+00:00By

Cyberattacks on artificial intelligence systems are increasing, so it’s important users know their vulnerabilities and try to soften the damage if they get hit, according to a new report by the National Institute of Standards and Technology.

Deepfakes

Premium

Deepfakes: A silent threat to digital integrity and AML efforts

2024-01-11T13:00:00+00:00By Rezaul Karim, CW guest columnist

Deepfakes have emerged in the digital world as a silent pandemic threatening not only our digital integrity but becoming a major risk to anti-money laundering efforts.

California

Premium

CPPA preview: Cybersecurity audit regs nearing formal proposal

2024-01-09T20:16:00+00:00By

Companies with business in California could face tough new cybersecurity mandates under draft regulations that could be headed for formal rulemaking as soon as Friday.

FINRA New York

News Brief

FINRA report: Exam trends on off-channel comms, crypto, cybersecurity

2024-01-09T18:09:00+00:00By

A new report from the Financial Industry Regulatory Authority provides observations from examiners on emerging issues affecting the industry, including surveilling potential use of off-channel communications by employees, crypto-asset developments, cybersecurity trends, and more.